ClawHub

Runtime Debug Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real runtime debugging skill, but it asks for broad project modification, secret placement, remote installers, and external trace collection without enough safeguards.

Install only in a disposable branch or non-sensitive development environment. Review every dependency, installer, source edit, and config change before running it; do not commit API keys, tokens, generated instrumentation, or .syncause files; assume traces may contain sensitive runtime data; and remove SDK hooks, MCP entries, credentials, and generated files after debugging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The guide instructs installing a remote wheel directly from a GitHub release URL, which introduces unreviewed third-party code into the target project and expands behavior beyond simple local debugging guidance. Because the skill is framed as a debugging aid but silently adds a tracing package that may execute code and communicate externally, this creates a supply-chain and unauthorized capability risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The instructions tell the agent to modify the application's entry point and inject initialization code containing an API key, app name, and project ID so code runs automatically at startup. For a debugging skill, persistent startup instrumentation is highly sensitive because it can enable continuous telemetry, data exfiltration, or unintended execution in production contexts without prominent disclosure.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The combined behavior of detecting project files, modifying dependency manifests, locating startup files, and inserting runtime initialization code gives the skill broad code-altering and instrumentation capability that is not inherently necessary for merely analyzing traces. In context, this makes the skill more dangerous because it operationalizes installation and persistent execution of external tracing code across arbitrary Python projects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to create new test and reproduction files inside the target project, which modifies the user's workspace. That can overwrite files, pollute repositories, trigger CI/tooling side effects, or introduce unintended executable artifacts, yet the skill does not clearly warn the user or require confirmation before making these changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs execution of reproduction commands such as Python scripts, Maven tests, and Jest tests on the user's system without a prominent warning that arbitrary project code and tests will run. In a debugging context this is especially risky because test or app execution may perform network access, mutate databases, invoke destructive hooks, or execute attacker-controlled repository code.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The teardown phase requires deleting the `.syncause` folder from the project root without an explicit warning or confirmation, which is a filesystem-destructive action. Even if intended as cleanup, deleting project directories can remove user data, erase debugging artifacts needed for auditability, or affect other tooling if the folder contents were important.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation tells users to place what appears to be a live GitHub personal access token directly in pom.xml and interpolate it into a repository URL. This exposes a secret to source control, local build logs, CI systems, dependency tooling, and anyone with repository access, enabling unauthorized access to private packages or broader GitHub resources depending on token scope.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plugin configuration directs instrumented code to communicate with an external WebSocket endpoint but does not disclose what data may be sent, when transmission occurs, or the privacy and security implications. In a debugging skill focused on runtime traces, this context makes the omission more dangerous because developers may unintentionally transmit source-derived metadata, stack traces, environment details, or sensitive application/runtime data to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide tells users to place a long-lived API key directly into multiple IDE/project configuration files, including project-level files, without any warning about accidental commit, local disclosure, workspace sharing, or file-permission risks. Because this skill is specifically for debugging and may be installed in developer environments across many tools, the secret-handling weakness is amplified: credentials can be exposed through source control, screenshots, support bundles, or shared repos.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation instructs users to execute a remote shell script directly from GitHub via curl-pipe-bash, which runs unreviewed code immediately on the local system. This creates a supply-chain and remote code execution risk: if the upstream file, repository, or delivery path is compromised, users will execute attacker-controlled commands without inspection.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation instructions fetch a package from the network and later pair it with initialization that uses an API key, yet the guide provides no clear warning that external network activity, telemetry, or credential handling may occur. This lack of transparency is dangerous because users may unknowingly authorize outbound communication and embed secrets into application code under the guise of routine debugging setup.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal